- Attack of the IRC Spam-bots
Hot on the heels of the Botnet caught bundling Zango a few days ago, here's an interesting one I found while lurking in the outermost regions of IRC yesterday...
First off, check out this IRC server. It's fair to say it has a large userbase (at least 16,000 channels!):
...and with that many users, it's a prime target for Botnet pimping. So with that in mind, let's pick up that Pimp Goblet and get things moving!
Assume...just assume...that IRC is, in fact, full of spammers, viruses, Trojans, haxx0rs and Malware. Then...assume that lots of infected users fire spam messages at you to try and infect you with more garbage, making you a part of that particular Botnet.
Then...assume I was fired a Spam message myself, and decided to have a play with the files....
...and sure enough, that's what happened! At this point, I'd usually show you a screenshot of the infection taking hold of the PC, but the thing about "straight" Botnet installers (ie: minus Adware) is that they aren't much use if they put a big, flashing "Botnet Alert!!!!112" message in the middle of your screen. But what I can show you, is a walkthrough of what this particular nasty actually does.
Suffice to say, this install takes place in two parts, and is run via two different Botnets - the Spam installers come from one source, and the Scanner installers come from another. This is merely a safety precaution - if you lose all your Spam-bots due to being shut down, you still have your "Scanner Bots" (which hunt for exploitable machines), and vice versa. No point rebuilding an Empire from scratch, right?
Now let's examine the state of the Server itself - the view is not pretty. The Admins of the IRC server clearly know about the Bot problems - because I've never seen so many Bot kickers, drone watchers and channels full of infected users being dumped out of channels in my life:
As you can see, my IP has been banned from that channel due to the fact it was used when I tested this infection previously - hence, I'm kicked out by a Channel Operator. In addition, I'm not even allowed to enter the other channel (blanked out) - such is the hatred here for Bots. Well, it's understandable.
At this point, I enter one of the (semi-random) channels I know this Bot tries to slip you into from my clean PC...and I wait for my infected test-box to show up. See, this thing works like this: user gets infected, infected PC enters and exits a number of IRC channels and has a particular phrase set as the "away" message. At this point, the away message is Spammed to lots of different users, or is viewable when they look up the infected user's contact info. While I'm waiting for my infected machine to show up, I'm bombarded with what looks like different Bot-spam from anything up to 12 different users within the first 10 seconds of entering the channel. Eventually, my infected PC turns up, and I know for sure that this Botnet is up and running correctly. Of course, all the infected PCs are called things like HOTGURL4YOU, to encourage foolish men to start messaging the Bot like crazy. Which they do....and they then see the away message:
Ooh, yes please!! Want to make a guess how many people will fall for this simple bit of social engineering? Sure enough, anyone foolish enough to click the link and execute the - er - executable...will find themselves upgraded to a higher realm of Botnets!
The "higher realm" here means a Botnet that scans networks for specific vulnerabilities to spread itself still further. I know what you're thinking at this point - the story wouldn't be complete without a screenshot of the master infection channel, right? Well, have no fear, because the Ghostman has already predicted your need to see a payoff shot and here it is:
As a sideline, I should add that I don't just find Botnets and take a bunch of pretty pictures, before leaving them to go look for new ones - appropriate steps are taken to get them shut down where possible. I've since found out this one is also being investigated by another group, and I'll be forwarding the information I've collected here to see if it can be put to good use.
In the meantime, if you insist on navigating the dangrous currents of IRC, think twice before checking out SUPAHOTTIEGURL's latest batch of home-grown pictures, or you may find yourself appearing in my next collection of screenshots!